Mastodawn

The Sixth Replicant Jun 2, 2023

Any meaningful UX testing in 2023 needs to account for ad blockers and password managers.

If your site or app doesn’t work with popular ad blockers, or it refuses to allow logins pasted in from password managers, it’s broken.

Yes, some executive type will want to argue about this because they think ad blocking will go away or they misunderstood some now outdated infosec guidance. They’re wrong. Users use ad blockers and password managers and if your stuff doesn’t work with them, it’s broken.

Tom Morris May 30, 2023

I’m not uninstalling my ad blocker. I’m not making an exception for your site. Your password complexity requirements are a waste of time. Blocking pasting into password fields is bad. You’ve made your site worse for incredibly silly reasons. Maybe don’t do that.

Brian Chamberlain May 30, 2023

@tommorris what you reckon on this tactic?

Tom Morris May 30, 2023

@brian need an adblocking list that blocks the you’re using an ad blocker scripts.

Jon Ribbens May 30, 2023

@tommorris @brian If there isn't an easily-findable "show the site anyway" button then I disable JavaScript on the site and reload, and if that still doesn't work I just never go to that site again.

apophis May 30, 2023

@jribbens @tommorris @brian ublock origin's element zapper tool is really good too

Eleanor LNR Blair Jun 3, 2023

@brian @tommorris this tactic just makes me close webpages and go away. 99% of the time the content isn't worth it. Not worth subscribing for either.

🥥 Tucker Carlson's Nuts 🥥May 30, 2023

@tommorris 🥥 This toot earned you a follow, Tom. 🥥

Scissors Cut Paper...May 31, 2023

+1 to all of that ... additionally

Your content is not sufficiently special that I can't get it from a lower-lift source.

Anyone know of a browser extension that reminds you why you don't want to go to that site instead of actually taking you there?

"I've got a little change in my pocket .... " as it were.

Tim Lavoie Jun 1, 2023

@tommorris I have suggested to a site owner or two that I would consider un-blocking if they run the ad infrastructure. Nobody really does now though. I'm not unblocking for ad-auction processes that will send me whatever nonsense the auction winner chooses.

James Henstridge Jun 1, 2023

@tim_lavoie @tommorris One argument I've heard for using an external ad server is as an audit mechanism for the number of impressions/clicks.

If you do everything in-house, then the advertisers need to take your word for it that their ad was actually displayed.

Tim Lavoie Jun 1, 2023

@jamesh @tommorris Does an advertiser get this today from Google or Facebook? Is there any assurance that the ad was viewed by a person?

Even still, none of this requires surveillance-based ads, which are the dominant variety today. Opt out.

James Henstridge Jun 1, 2023

@tim_lavoie @tommorris For a website, their ad space is more valuable if there is more certainty about how many times they've been viewed. And for the advertiser, it's nice if theres fewer people to audit or trust.

This isn't saying that the current mess of third party cookie user tracking is necessary: just that there are reasons besides cross-site user tracking why a site might outsource ad serving.

Eleanor Saitta Jun 2, 2023

@jamesh
So instead, they outsource it to third parties that all have had repeated problems with large-scale fraud. There are other ways to implement this that are privacy-preserving and don't require third parties, if the industry cared to invest in it, but they don't.
@tim_lavoie @tommorris

stefan Jun 3, 2023

@tommorris I also hate that new login flow popular sites use nowadays. Requiring a User-Name (or E-Mail) first *hit Enter* Now you can enter your password.

It just makes Auto-Type from say KeepassDX so much more of a hassle since I have to go into keepass once to select username and then again for the password.

I am used to this on android (Auto-Type is not a thing there and Autofill just sometimes works correctly...) I may have to look into that on the android-side more.

Jay Little Jun 3, 2023

@tommorris I only have one thing to say to this...

Andrew Zonenberg May 30, 2023

@tommorris I'd go one further and argue that if your site/service relies on displaying ads to the user as a primary source of revenue, it's broken.

varx/tech May 30, 2023

@azonenberg @tommorris It's more complicated than that. Adblockers often block tracking scripts as well, or even just telemetry scripts that are relatively harmless (but *can* be used for tracking). These aren't actually business-critical on a per-user basis, but it's possible for the site's main scripts to break by accident if the telemetry library isn't there.

(Naturally, I use an adblocker on my work computer, which means if the site breaks for me, I'll know about it and will be able to give a heads-up to whoever wrote the overly-entangled code.)

Andrew Zonenberg May 30, 2023

@varx @tommorris And imo if you rely on telemetry your site is also broken :)

varx/tech May 31, 2023

@azonenberg Hmm, I may not have been clear enough.

Imagine a piece of JS that has business logic, maybe making a fetch request for more widgets to show on the screen. If it detects a certain condition, it calls NewRelic.recordEvent(...) and goes on about its business. This isn't business critical, and if you asked the developer "hey, how important is it that this works?" they would say "eh, no big deal if it doesn't send the info". But what they're not anticipating is that window.NewRelic might be *undefined*. They've forgotten to include an if(NewRelic){...} around it.

That's the kind of scenario I mean. It comes up now and then.

It's broken, but it's not an *intentional* reliance on telemetry.

Andrew Zonenberg May 31, 2023

@varx I was more implying that I don't like the idea of telemetry in prod at all (vs a staging/dev server).

neocat_flag_polyam

🚫👑Jun 1, 2023

@azonenberg @varx Agreed! And the common cookie-consent forms misidentify telemetry as "performance".

varx/tech Jun 1, 2023

@grinningcat @azonenberg Mmm... I think that's a separate conversation. See my reply at https://infosec.exchange/@varx/110469064723927560 for how "telemetry" is an overly broad term, but also cookie consent is different enough from telemetry that I'm not really comfortable making statements that cover both. I will say that in both cases there's a weird middle ground that's very hazy, though.

varx/tech (@[email protected])

@[email protected] Hmm..."telemetry" covers a *huge* range of things. That's part of the problem here. So you have: - A/B testing and "user journey" analysis (more on the marketing and sales side) - Feature usage statistics (important for knowing what you need to keep supporting) - Error reporting (critical for knowing if you've broken the site) ...and all of that sometimes gets lumped under "telemetry". I work on the backend, and I rely very heavily on telemetry to know what's working, what's being used vs. what can be deprecated, whether a dark-launch is successful, etc. I don't know for sure what people do on the frontend, but I imagine it's very similar. And as long as it's not tracking individual users, I don't see the problem.

Infosec Exchange

varx/tech Jun 1, 2023

@azonenberg Hmm..."telemetry" covers a *huge* range of things. That's part of the problem here. So you have:

- A/B testing and "user journey" analysis (more on the marketing and sales side)
- Feature usage statistics (important for knowing what you need to keep supporting)
- Error reporting (critical for knowing if you've broken the site)

...and all of that sometimes gets lumped under "telemetry".

I work on the backend, and I rely very heavily on telemetry to know what's working, what's being used vs. what can be deprecated, whether a dark-launch is successful, etc. I don't know for sure what people do on the frontend, but I imagine it's very similar. And as long as it's not tracking individual users, I don't see the problem.

David S May 30, 2023

@tommorris As an aside, Firefox allows you to disable paste blocking: in about:config toggle dom.event.clipboardevents.enabled to false.

Scenario May 30, 2023

@tommorris Spot on. Apple is the worst offender. It pushes strong passwords on you at every turn. Yet half the time, those long strings don't get saved in your Keychain and propagated across your iCloud devices. And even when they do, if you try to log into an Apple website — guess what? There is no password autofill UI for your strong passwords. You have to KNOW to copy them out of your Password Settings FIRST. This UX is so busted...

AMS May 30, 2023

@tommorris I've also had sites block me for auto-type which is bullshit.

Jen May 31, 2023

@tommorris ad blocking won't go away until ads stop being intrusive. As the execs aren't likely to sign that off, we're all stuck in the arms race.

Tim Ward ⭐🇪🇺🔶 #FBPE May 31, 2023

@tommorris Once Upon A Time there was a thing called "zonealarm" which took it upon itself to remove the "ADVERTISE" button when it displayed my web site to its users (aka victims).

Hence endless conversations along the lines of:

"So how do I actually place an advertisement on your advertising web site?"

"Press the ADVERTISE button and fill in the form."

"What ADVERTISE button?"

I do *not* consider that it was my duty to code around this "zonealarm" malware, so I'm going to disagree with you.

Eleanor Saitta Jun 2, 2023

@TimWardCam
Cool. But don't complain when you site breaks because your users are protecting themselves.

Also? "This one time a single user tool broke something it shouldn't have and now I'm to try to punish all users using similar tools forever" is a bad look.
@tommorris

Tim Ward ⭐🇪🇺🔶 #FBPE Jun 2, 2023

@dymaxion @tommorris There are thousands of tools out there. I'm supposed to buy subscriptions to all of them, and the platforms they run on, and test with everything once a week? For a free public service I provide?

Meanwhile, back in the real world ...

Eleanor Saitta Jun 2, 2023

@TimWardCam
No. But you should probably test periodically with the most popular half dozen and be aware of the development patterns that are likely to become fragile around them and code with the understanding that the site should still function if remote resources likely to be blocked aren't available. Aka, the way professional devs are expected to. But you do you.
@tommorris

Tim Ward ⭐🇪🇺🔶 #FBPE Jun 2, 2023

@dymaxion @tommorris How much does an iPhone cost?

It's a free public service. If it works for almost everybody who tries to use it, great. If someone complains that it's not working for them, I investigate.

Tom Morris Jun 2, 2023

@TimWardCam @dymaxion My intended suggestion was “if you are testing on a device, test with a popular adblocker installed (as quite a lot of users will have one)” not “extend testing scope beyond practicality”. The target of my post was professionals working on commercial projects with resources to test with and an expectation or obligation to test across multiple devices.

uBlock Origin with the default settings is free and available for most popular desktop browsers.

Rev. GothAlice Jun 1, 2023

@tommorris See also: scroll-jacking. Interposing clipboard copies. Redirection through interstitial load. Useless captchas.

When a machine solves your human verification better than humans do, you're "totally winning that war".

Alex Michael Berry 🐈🐩Jun 1, 2023

@tommorris I'd add browsers autocompleting addresses to that list (assuming you deal with addresses). It doesn't happen as much but I remember for a while it seemed like some sites would look like they auto filled but then when you submitted the form all the address fields would be blank.

BoredomFestival Jun 1, 2023

@tommorris thank you

aerique Jun 4, 2023

@tommorris it would also be nice if a site would show *something* when JavaScript is blocked (which is also a security measure)